Hemant Kumarhttp://hemantkumar.net/
Mon, 21 Aug 2017 00:31:30 +0000Mon, 21 Aug 2017 00:31:30 +0000Jekyll v3.5.2Securing REST APIs<p>RESTful services are stateless therefore each request needs to be authenticated individually. State in REST terminology means the state of the resource that the API manages, not session state. There maybe good reasons to build a stateful API but that is going against REST principles. It is important to realize that managing sessions is complex and difficult to do securely, as it is prone to replay and impersonation attacks. So what options do we have to secure RESTful services? This post looks into Basic Authentication, MAC (Message Authentication Code), Digital Signatures and OAuth.</p>
<p>When looking at any security aspect, often a lot of terms get thrown around, which can be distracting and sometimes overwhelming. Therefore, before looking at the nitty-gritty of securing RESTful APIs it is worth getting some security jargon out of the way.</p>
<p><em>Oversimplification Disclaimer - I have tried to explain the security basics in a general context, which might result in missing some of the technical nuances.</em></p>
<ul>
<li>
<p><strong>Authentication</strong> - Validation of the sender’s identity so that receiver knows who they are talking to; e.g. client sends credentials (either in plaintext or encrypted) to the server that validates them.</p>
</li>
<li>
<p><strong>Authorization</strong> - Verification that the sender has access to a certain resource. Happens post authentication.</p>
</li>
<li>
<p><strong>Integrity</strong> - Ensuring message contents of a request haven’t changed in transit.</p>
</li>
<li>
<p><strong>Non-repudiation</strong> - Ensuring that the sender cannot deny having sent the message; e.g. your bank cannot deny having sent you a bank statement if it has a valid stamp of the bank on it.</p>
</li>
<li>
<p><strong>Confidentiality</strong> - No one can see the message contents in transit from sender to receiver.</p>
</li>
</ul>
<p>In order to achieve secure communication, be it client to service or service to service, there are fundamentally two problems to solve:</p>
<ol>
<li>Ensure that the message can only be read by the intended recipient.</li>
<li>Ensure that the message is from a known sender and it has not been modified in transit.</li>
</ol>
<p>The first problem can be solved using encryption. Encryption is used to achieve <strong>confidentiality</strong> and means only those with the corresponding secret key can read the message. However encryption alone does not guarantee <strong>integrity</strong>. The second problem can be solved using cryptography which often uses combination of encryption and <a href="https://en.wikipedia.org/wiki/Cryptographic_hash_function">hashing</a> to achieve <strong>authenticity</strong> and <strong>integrity</strong> in addition to <strong>confidentiality</strong>.</p>
<h3 id="symmetric-private-key-cryptography">Symmetric (Private key cryptography)</h3>
<p>You share the same secret key between sender and receiver to encrypt and decrypt the message. You can trust the <strong>authenticity</strong> (from a trusted known sender) of the message, its <strong>confidentiality</strong> and <strong>integrity</strong> but <strong>non-repudiation</strong> cannot be guaranteed. Because the secret key could be shared amongst several participants, there is no single identity attached to the key, therefore the receiver knows it came from a source in possession of the key but doesn’t know which one. The risk of the key falling in the wrong hands is also higher because it needs to be securely shared amongst the participants, often over the internet. Other options include face-to-face meeting or use of a trusted courier but these can often be impractical. Higher the number of participants, higher is the exposure of the key.</p>
<h3 id="asymmetric-public-key-cryptography">Asymmetric (Public key cryptography)</h3>
<p>Different key is used between sender and receiver to encrypt and decrypt the message, which gets us around the shared key issue we came across in symmetric key cryptography. In order to solve the first secure communication problem mentioned above, when encrypting, you use the <strong>receiver’s public key</strong> to write (encrypt) the message and the receiver uses <strong>their private key</strong> to read (decrypt) the message. This establishes <strong>confidentiality</strong> of the message.</p>
<p><img src="../assets/end-to-end-encryption.png" alt="end-to-end-encryption.png" title="End to End Encryption" /></p>
<p>In order to solve the 2nd secure communication problem mentioned above, you use a <a href="https://en.wikipedia.org/wiki/Digital_signature">digital signature</a>. Digitally signing data is equivalent to a physical signature that can only be produced by the signing authority and verified by anyone who has visibility of the signing authority’s signature. Signing uses public key encryption where the sender uses <strong>their private key</strong> to write message’s signature, and the receiver uses the <strong>sender’s public key</strong> to check if it’s really from the sender. It is a means of attaching identity to a key. It is discussed in further detail in the section below on <a href="## Message signing using Digital Signature">message signing using digital signature</a>.</p>
<h2 id="approaches-to-securing-restful-apis">Approaches to securing RESTful APIs</h2>
<p>Having covered the security semantics, we can now look at the different techniques to secure RESTful APIs. These techniques are based on the security fundamentals discussed above.</p>
<h3 id="basic-authentication">Basic Authentication</h3>
<p>The most simple way to authenticate senders is to use HTTP basic authentication. Sender’s credentials (username and password) are base64 encoded and sent across in an HTTP header.</p>
<div class="highlighter-rouge"><pre class="highlight"><code>GET / HTTP/1.1
Host: api.example.com
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
</code></pre>
</div>
<p>There are a few issues with HTTP Basic Authentication:</p>
<ul>
<li>Credentials are sent over the wire and even though they are encoded, they are not encrypted and can easily be converted to plaintext.</li>
<li>Credentials are sent repeatedly, for each request, which widens the attack window.</li>
<li>The password may be stored permanently in the browser, if the user requests. The browser caches the password minimum for the length of the window / process, which can be silently used to make requests to the server e.g. in CSRF attacks.</li>
</ul>
<p>Using HTTPS only solves the first issue. Even then, the credentials are only protected until SSL/TLS termination, any internal network routing, logging, etc. can expose the plaintext credentials. Does HTTPS protect the credentials in transit? Yes. Is that enough? Usually, No. Basic Authentication with HTTPS provides you <strong>confidentiality</strong> only for a window during which SSL/TLS is on. In an enterprise, more often than not SSL/TLS termination occurs much before the request reaches your API server.</p>
<h3 id="mac-message--authentication-code">MAC (Message Authentication Code)</h3>
<p>Basic Auth over HTTP exposes credentials in transit and does not guarantee integrity of the message. MAC on the other hand is used to send hashed version of credentials and the message using a secret key. It can be used to <strong>authenticate</strong> a message and verify its <strong>integrity</strong>. MAC is symmetric, i.e. it uses the same key to produce a MAC value for a message and to verify the MAC value for the message.</p>
<p><img src="../assets/MAC.jpg" alt="MAC.jpg" title="MAC" /></p>
<p>For accessing a protected resource</p>
<div class="highlighter-rouge"><pre class="highlight"><code>/users/username/account
</code></pre>
</div>
<p>HMAC (Hash-based message authentication) an implementation of MAC involves calculation of an HMAC value</p>
<div class="highlighter-rouge"><pre class="highlight"><code>value = base64encode(hmac("sha256", "secret", "GET+/users/username/account"))
</code></pre>
</div>
<p>The HMAC value then is sent over as an HTTP header:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>GET /users/username/account HTTP/1.1
Host: api.example.com
Authentication: hmac username:[value]
</code></pre>
</div>
<p><strong>Prevent hash reuse</strong></p>
<p>Hashing the same message repeatedly results in the same HMAC (hash). If the hash falls into the wrong hands, it can be used to make the same request at a later time. Therefore it is important to introduce entropy to the hash generation to prevent a <a href="https://en.wikipedia.org/wiki/Replay_attack">replay attack</a>. This is done by adding more data (<strong>timestamp</strong> and <strong>nonce</strong>) to the hash computation.</p>
<div class="highlighter-rouge"><pre class="highlight"><code>value = base64encode(hmac("sha256", "secret", "GET+/users/username/account+28jul201712:59:24+123456"))
</code></pre>
</div>
<p>The additional data (timestamp and nonce) is sent to the receiver for reconstructing the hash.</p>
<div class="highlighter-rouge"><pre class="highlight"><code>GET /users/username/account HTTP/1.1
Host: example.org
Authentication: hmac username:123456:[value]
Date: 28 jul 2017 12:59:24
</code></pre>
</div>
<p>The nonce is a number we only use once and is regenerated on each subsequent request, even if the request is for the same resource. The receiver reconstructs the hash with the nonce value and if it doesn’t match the received hash value, discards the message possibly because the hash has been previously used. This ensures each request is only valid once and only once.</p>
<p>If the timestamp is not within a certain range (say 10 minutes) of the receiver’s time, then the receiver can discard the message as it is probably a replay of an earlier message. It is worth noting time-limited authentications can be problematic if the sender and receiver’s time is not synchronized.</p>
<h3 id="message-signing-using-digital-signature">Message signing using Digital Signature</h3>
<p>Digital signatures use asymmetric public key cryptography to
establish <strong>authenticity</strong> (message sent by a known sender), <strong>integrity</strong> (message wasn’t tampered with) and <strong>non-repudiation</strong> (message sent by the sender cannot be denied).</p>
<p>When signing, the sender uses <strong>their private key</strong> to write message’s signature, and the receiver uses the <strong>sender’s public key</strong> to check if it’s really from the sender. A <strong>timestamp</strong> and <strong>nonce</strong> are used to generate the signature, to prevent reuse against <a href="https://en.wikipedia.org/wiki/Replay_attack">replay attacks</a>.</p>
<p><img src="../assets/message-signing.jpg" alt="message-signing.jpg" title="Message Signing" /></p>
<p>A service (when acting as a <strong>receiver</strong>) has a list of <strong>public keys</strong> for all other services that want to talk to it and provides its <strong>public key</strong> (when acting as a <strong>sender</strong>) to other services that it wants to talk to.</p>
<p>Digital signatures can be safely used without SSL (although SSL is still recommended if the data transferred is sensitive). However, this level of security comes with a price: generating and validating signatures can be a complex process.</p>
<h3 id="oauth2">OAuth2</h3>
<p>OAuth2 is an open protocol to allow secure authorization in a standard method from web, mobile and desktop applications. It enables <a href="https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/federation">federated security</a> to allow clear separation between your API and the associated authentication and authorization mechanism. This means you can either</p>
<ul>
<li>build out the <strong>authorization server</strong> as a standalone component which is only responsible for obtaining authorization from users and issuing tokens to clients, or you can</li>
<li>outsource the <strong>authorization server</strong> as a service that the user trusts, such as a social identity provider like facebook.</li>
</ul>
<p>This allows you to focus on building and scaling your resource APIs independent of authorization.</p>
<p>OAuth2 has multiple <a href="https://www.oauth.com/oauth2-servers/differences-between-oauth-1-2/user-experience-alternative-token-issuance-options/">flows</a> called <em>grant types</em> for obtaining an access token, but in essence each flow involves obtaining authorization to get an access token and using the access token to access protected resources. An access token is a <a href="https://tools.ietf.org/html/rfc7519">JSON web token (JWT)</a> encoded in base64URL format that contains a header, payload, and signature. A resource server can authorize the client (application) to access particular resources based on the scopes and claims in the access token.</p>
<p>The authorization server provides <code class="highlighter-rouge">/.well-known/openid-configuration</code> service discovery endpoint for clients to get information about interacting with the authorization server.</p>
<p>OAuth is for authorization but lot of applications require to know the users identity too. <a href="http://openid.net/connect/">OpenID Connect</a> adds identity to OAuth2. It is a REST-like identity layer on top of OAuth2.</p>
<p><strong>OAuth1 or OAuth2</strong></p>
<p>OAuth1 is a signature based protocol that uses a <strong>digital signature</strong> (usually HMAC-SHA1), ensuring the token secret is never passed in plaintext over the wire. It is highly secure but with digital signatures as discussed above, you incur the cost of using specific hashing algorithms with a strict set of steps. Every major programming language has a library to handle this for you. I have a Java based implementation of message signing <a href="https://github.com/hemantksingh/message-signing">here</a>. But, this means it is no longer possible to make API calls like this:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>curl --user foo:bar https://api.example.com/users
</code></pre>
</div>
<p>Some services such as Twitter started providing “signature generator” tools in their developer websites so that you could generate a curl command from the website without using a library. For example, the tool on Twitter generates a curl command such as:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>curl --get 'https://api.twitter.com/1.1/statuses/show.json' \
--data 'id=210462857140252672' \
--header 'Authorization: OAuth oauth_consumer_key="xRhHSKcKLl9VF7fbyP2eEw", oauth_nonce="33ec5af28add281c63db55d1839d90f1", oauth_signature="oBO19fJO8imCAMvRxmQJsA6idXk%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1471026075", oauth_token="12341234-ZgJYZOh5Z3ldYXH2sm5voEs0pPXOPv8vC0mFjMFtG", oauth_version="1.0"'
</code></pre>
</div>
<p>OAuth2 mandates TLS, so you no longer need to use cryptographic algorithms to create, generate, and validate signatures. In an attempt to reduce complexity all the encryption is delegated to transport layer (TLS). With OAuth 2.0 <a href="https://www.oauth.com/oauth2-servers/differences-between-oauth-1-2/bearer-tokens/">bearer tokens</a>, only the token itself is needed in the request, so the API invocation again becomes simple:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>curl https://api.example.com/profile -H "Authorization: Bearer XXXXXXXXXXX"
</code></pre>
</div>
<p>The tradeoff is all requests must be made over HTTPS. This provides a good balance between ease of use of APIs and good security practices.</p>
<h2 id="in-summary">In summary</h2>
<p>Before deciding on an API security approach, it is important to understand what are you going to secure and what is the sensitivity of the data being managed? APIs handling things like personal data, medical health records or financial data will need a different security approach than an API handling, say traffic updates. It is also worth defining the scope of your API security. Securing network and server infrastructure for things like intrusion, eves dropping via packet sniffing and physical security often lie outside the scope of API security. Opting for a particular technique may depend on specific security requirements of your application because each technique covers different aspects of security. For example basic authentication without HTTPS can provide authenticity but no integrity or confidentiality. MACs may be sufficient for internal APIs (non public facing) serving a few web applications. For highly sensitive data, digital signatures maybe a necessity, but if you are looking for flexibility and performance at scale OAuth2 Bearer tokens maybe the way to go.</p>
Thu, 10 Aug 2017 19:31:00 +0000http://hemantkumar.net/securing-rest-apis.html
http://hemantkumar.net/securing-rest-apis.htmlrestapi,security,cryptography,authentication,HMAC,OAuth,digitalsignatureskodekitabMaking sense of Blockchain<p><strong>Trust</strong> is fundamental to commerce. Any business transaction is based upon trust and requires secure way of transferring assets between transacting parties. Financial institutions like banks provide this trust by maintaining a true record of banking transactions. Government agencies provide evidence of land title, driving license records, medical records and other assets by often maintaining a transaction log. They usually achieve this trust by maintaining a central store for recording transactions that can be relied upon to verify each transaction. This means that the onus of maintaining the security and sanctity of this central store also lies with the authority owning it. This gives the central authority or the intermediary facilitating commerce between the transacting parties, great responsibility as well as control. The intermediary can pretty much dictate the rules of commerce that every transacting party needs to abide by. The intermediary can also be a single point of failure.</p>
<ul>
<li>Can a single authority prevent any illegitimate records being added or updated to the central store?</li>
<li>How tamper proof is the central store and is it independently and transparently verifiable in case of a dispute?</li>
<li>How efficient is the intermediary in fulfilling the transactions? Machine to machine communication takes place at a mind boggling rate but machine to machine payments can sometimes take days to clear because they have to go through the intermediary’s centralized clearing system.</li>
</ul>
<h2 id="decentralized-trust-and-control">Decentralized trust and control</h2>
<p>Blockchain attempts to reduce the cost and increase trust in business transactions by using an immutable distributed transaction store on peer to peer networks rather than a central store. In simple terms rather than a single authority like a bank responsible for maintaining the transactions, it is now a group of people running blockchain servers that do this. They ensure that the information stored in the distributed ledger is immutable and verifiable by applying techniques like cryptography and hashing (explained below). This decentralized approach allows customers to make an exchange (e.g. pay for an item) without the involvement of an intermediary.</p>
<p><img src="http://hemantkumar.net/assets/blockchain.jpg" alt="Blockchain" /></p>
<h2 id="underlying-technology">Underlying technology</h2>
<ul>
<li>
<p><strong>Peer to peer network</strong>
A group of computers that can communicate among
themselves without relying on a single central authority or having a single point of failure.</p>
</li>
<li>
<p><strong>Asymmetric cryptography</strong>
A way to send a message encrypted for specific recipients
such that anyone can verify the sender’s authenticity but
only intended recipients can read the message contents.</p>
</li>
<li>
<p><strong>Cryptographic hashing</strong>
A way to generate a small, unique “fingerprint” for any data allowing quick comparison of large data sets and a secure way to verify data has not been altered. A simplified explanation of cryptographic hashing is available <a href="https://www.miracl.com/press/the-essence-of-the-blockchain">here</a>.</p>
</li>
</ul>
<h3 id="how-do-we-ensure-the-rules-are-being-followed">How do we ensure the rules are being followed?</h3>
<ul>
<li>
<p>Group of people who maintain the distributed ledger are called bookkeepers. Transactions often reach different bookkeepers in different order, depending upon which bookkeeper is online. Bookkeepers need to agree on the order of transactions and rules about money creation, version of software to run and the transaction formats.</p>
</li>
<li>
<p>Periodically bookkeepers are allowed to add money to their own accounts, thereby creating money out of thin air. But this is only allowed according to very constrained rules. Those rules include a gradual very slow rate of money creation, until no more money can be created.</p>
</li>
<li>
<p>Math based voting system to determine what the majority thinks. Bitcoin requires bookkeepers to solve a very special math problem to vote. Voting has a cost in terms of electricity and computing power, making it prohibitively costly for anyone to control the vote. This is called <em>“Proof of work”</em> explained in the original Bitcoin white paper <em>“one vote per CPU”</em> instead of one vote per person.</p>
</li>
<li>
<p>Voting is allowed to happen every 10 minutes to allow all bookkeepers to stay synchronized. Each new group of transactions that gets approved is called a block and these blocks are grouped together in a chain called the <strong>blockchain</strong>.</p>
</li>
</ul>
<h2 id="impact-on-financial-services">Impact on financial services</h2>
<ul>
<li>Due to the lack of trust, very little data is shared amongst financial institutions. Blockchain reduces this trust deficit and can allow seamless transfer of digital assets within a business network and better sharing of data across businesses.</li>
<li>Creation of secured, shared data with common standards - a public distributed ledger that keeps a record of all financial transactions.</li>
<li>Reduced need for reconciliation at both ends of the business (purchaser and supplier).</li>
<li>Certification of documents without having to go to a central certifying authority.</li>
</ul>
<h2 id="impact-on-iot">Impact on IOT</h2>
<p>The trust gap in commerce is on the rise. Identity fraud alone keeps setting new records every year. Today we transact not only with humans but machines and smart devices. How do we trust all the new IOT devices that are coming online? One prediction suggests that by 2020 we will have 7 times more smart devices than we have human beings in the world. That’s about 50 billion devices in 2020 that we’ll have to transact with and that we’ll have to trust. Blockchain allows</p>
<ul>
<li>Securely sharing any information between machines, including connected vehicles, smart appliances, or manufacturing equipment.</li>
<li>Once trust is built into these devices, they can be trusted to order their own spare parts, optimize packing of materials, or pay for their own electricity.</li>
</ul>
Thu, 13 Apr 2017 19:31:00 +0000http://hemantkumar.net/making-sense-of-blockchain.html
http://hemantkumar.net/making-sense-of-blockchain.htmlblockchain,cryptocurrency,cryptographykodekitabDemonetisation: Surgical strike or carpet bomb<p>At 8pm on the 8th of November prime minister Narendra Modi announced that from midnight all 500-rupee and 1,000-rupee notes would cease to be legal tender. This deliberate shock demonetisation policy was announced with the following 3 main objectives:</p>
<ul>
<li>Removal of counterfeit currency</li>
<li>Stamping out black money</li>
<li>Move towards a cashless economy</li>
</ul>
<p>This was a bold move as a surprise of this nature is meant to disrupt an economy in which 90% of all transactions are conducted in cash and the two cancelled notes account for 86% of all the currency in circulation. This was both economically and politically a risky move . The prime minister even had to make an emotional plea to the nation to back him and stick with the hardships caused by demonetisation for 50 days. In the past couple of weeks there has been a lot of anguish and distress amongst the general public with hours of queues outside banks and even <a href="http://www.huffingtonpost.in/2016/11/17/day-9-demonetisation-death-toll-rises-to-55/">deaths</a> being reported.</p>
<p>The media has called this a surgical strike on black money and corruption. Is this really a game changer that will get rid of the black money and corruption in India or are we paying too high a price for a supposedly elusive benefit? Let’s begin by looking closely at the three objectives individually.</p>
<h3 id="removal-of-counterfeit-currency">Removal of counterfeit currency</h3>
<p><strong>Benefit:</strong> Funding for terror and other subversive activities in counterfeit currency will be removed.</p>
<p><em>Does demonetisation achieve removal of counterfeit currency?</em> Yes! <em>Was this the only way of going about doing this?</em> No! A phased out release of new currency would have achieved the same objective without starting a panic that we are seeing today in the financial system. A lot of countries do this all the time in a managed way, by introducing redesigned bills to improve security of the currency. A shock to the system or the so called <em>surgical strike</em> does mean less time for the counterfeiters to move their money around but it also means giving less time to genuine traders and small time businesses to get on with their daily trade. That is why we are seeing a lot of disruption to in the unorganised economy.</p>
<h3 id="stamping-out-of-black-money">Stamping out of black money</h3>
<p><strong>Benefit:</strong> Approximately $14 to $44 billion of back money will be extinguished.</p>
<p>According to the Ministry of Finance 2012 report, roughly 6 percent of the total black money is held in cash. Large proportions of black money is invested in real estate or gold and most of all moved abroad. Only a fraction of the funds received from illicit tax evading activities is kept in cash. Therefore the amount recovered due to demonetisation is a very small proportion. Even the 6 percent might not be completely coming back into the banks as people who hold that cash could and are laundering their black money by paying anywhere between 10 to 30%. Although the shock therapy prevents hoarders from diverting their money quickly but the target is too small to fetch or remove the entire $14 to $44 billion.</p>
<h3 id="move-towards-a-cashless-economy">Move towards a cashless economy</h3>
<p><strong>Benefit:</strong> Higher traceability of transactions, more businesses come under the tax net, higher revenues for government.</p>
<p>Did you imagine a <em>chaiwala</em> or a newspaper vendor getting paid via paytm? It is happening now, not because of choice but out of necessity. The shock therapy has definitely made people come up with innovative ideas to support their businesses as their livelihoods are at stake. This would not only widen tax collection as more transactions come under the tax net but prevent inaccurate invoicing by companies, under reporting of sales values and reporting non-existent transactions. However, this will take long and there will be a lot of pain in the interim especially in the rural economy until the new notes come into wider circulation. The two cancelled notes account for 86% of all the currency in circulation; over 90% of all transactions are conducted in cash, and over 85% of workers get their incomes in cash.</p>
<h2 id="what-happens-next">What happens next?</h2>
<p>So is all the pain worth going through? The honest answer is we don’t know yet. A lot will depend on the follow up. There is little doubt about the sincerity of the move but the lack of planning and shoddy execution without thinking through the consequences has meant major disruption of the market economy. This has had an adverse impact on the unorganised sector which accounts for 40% of GDP and 80% of all employment, causing severe hardships especially for the casual daily wagers and farmers who depend solely on cash. Given the government wanted to go ahead with demonetisation, it could have in advance, infused a far greater number of 100-rupee notes into the economy and printed a greater quantity of 500-rupee and 2000-rupee notes to avoid some of this disruption and pain.</p>
<p>To think that a single surgical strike will end corruption and expunge all black money would be naive. In order to to remove the roots of corruption, what is needed is structural and fundamental reforms in the areas of major sources of corruption i.e, tax, real estate and political funding. Demonetisation is barely scratching the surface, if the follow up to it is a carpet bomb of reforms we may have a chance against corruption, otherwise precious time will continue to be wasted in debating the worth of this move while <em>notebank</em> politics continues.</p>
Sun, 20 Nov 2016 10:46:00 +0000http://hemantkumar.net/demonetisation-surgical-strike-carpet-bomb.html
http://hemantkumar.net/demonetisation-surgical-strike-carpet-bomb.htmldemonetisationpoliticsThink Docker! Think Security!<p>Docker allows you to completely abstract the underlying operating system and run your app across multiple platforms (local machine, cloud or on-premise data centre) as long as the destination has the Docker runtime (Docker daemon) running. With Docker, the Continuous Delivery philosophy <em>Build once deploy anywhere</em> really comes to the fore. You build your binary artifact as a Docker image that includes all the application stack and requirements once and deploy the same image to various environments. This ensures the binary is built once and the same source code is promoted in subsequent deployments, allowing agile, continuous application delivery.</p>
<p>I have been using Docker for local development, testing and for running apps in production. Docker is pretty swift to get started with, allows rapid app development, setting up builds and running tests in a repeatable and consistent manner. You can get an application running on your local machine with all its dependencies (web servers, databases) in fairly quick time. Does that mean you ship your machine to production? Probably not! Because you are working with the Docker abstraction, do you need to worry about any underlying security risks, is it all taken care of or should you even care?</p>
<h2 id="the-basics">The basics</h2>
<p>Docker is a virtualization technique used to create isolated environments called <em>containers</em> for running your applications. A container is quite like a VM but light-weight. It is a bare minimum linux machine with minimum packages installed which means it uses less CPU, less memory and less disk space than a full blown VM. Containers are more like application runtime environments that sit on top of the OS (Docker host) and create an isolated environment in which to run your application.</p>
<p>Docker uses the resource isolation features of the Linux kernel such as <strong>Namespaces</strong>, <strong>cgroups</strong> and <strong>capabilities</strong> to create the walls between containers and other processes running in the host.</p>
<p><em>Namesapces</em> allow resources to have separate values on the host and in the container; for example PID 1 inside a container is not PID 1 on the host. However not all resources that a container has access to are <em>namespaced</em> i.e they are not isolated on the host and in the containers. Containers running on the same host still share the same operating system kernel and any kernel modules.</p>
<p><em>cgroups</em> (abbreviated from control groups) is a Linux kernel feature that limits, accounts for, and isolates the resource usage (CPU, memory, disk I/O, network, etc.) of a collection of processes.</p>
<p><em>Capabilites</em> are a set of privileges that can be independently enabled or disabled for a process to provide or restrict access to the system. Removing capabilities can cause applications to break, therefore deciding which ones to keep and remove is a balancing act. By default, Docker containers run with a subset of capabilities, so for example, a container will not normally be able to modify capabilities for other containers. A complete list of removed capabilities can be found <a href="https://opensource.com/business/14/9/security-for-docker">here</a>.</p>
<h2 id="security-challenges">Security challenges</h2>
<p>So what sort of security issues should you be worried about that could affect apps running inside containers? I was at a GOTO conference in Stockholm earlier in the year and <a href="https://twitter.com/adrianmouat">Adrian Mout</a> speaking on Docker security highlighted some security issues mentioned below. The following is not a comprehensive list but one that should get you thinking.</p>
<ul>
<li>
<p><strong><em>Kernel exploits</em></strong>: The kernel is shared amongst all the containers and the host. A flaw in the kernel could be exploited by a container process which will bring down the entire host.</p>
</li>
<li>
<p><strong><em>Denial of service</em></strong>: All containers share the kernel resources. If one container manages to hog kernel resources like CPU, memory or block I/O, it can starve the other containers on the host for resources, resulting in a denial of service attack.</p>
</li>
<li>
<p><strong><em>Container breakouts</em></strong>: Running as root on the container means you will be root on the host. Therefore you need to worry about <em>escalated privileges</em> attack where a user can gain root access on the host due to a vulnerability in the application code. If an attacker gains access to one container that should not allow access to other containers or the host. Therefore it becomes important to run your container with restricted privileges.</p>
</li>
<li>
<p><strong><em>Tampered images</em></strong>: You need to be sure that the image that you are running is from a trusted source and not from an attacker who has tricked you. The images that you run should also be up to date, scanned and without any known security vulnerabilities.</p>
</li>
<li>
<p><strong><em>Secret Leakages</em></strong>: Secrets for your applications (like API keys and Database passwords) need to be protected from falling into the wrong hands. You need to be very careful before putting these as plain text in source code; for example in a Dockerfile. Once the secret has made it into the Dockerfile, even if you remove the secret later, an attacker can still retrieve it from the history of the Docker image built from the Dockerfile. Ideally using a secret vault for storing application secrets and allowing restricted access to the secret vault serves as a secure mechanism to distribute secrets.</p>
</li>
</ul>
<h2 id="mitigations">Mitigations</h2>
<p>Having gone through key Docker security issues, lets look at some ways to prevent them. <a href="https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.11.0_Benchmark_v1.0.0.pdf">CIS Docker Benchmark</a> provides an elaborate list of docker security recommendations. Defence in Depth is a common approach to security that involves building multiple layers of defences in order to hinder attackers. The following mitigations are based on securing the host, container and image in a container based environment.</p>
<h3 id="host-and-kernel">Host and kernel</h3>
<ul>
<li>
<p>Use a good quality supported host system for running containers with regular security updates. Keep the kernel updated with the latest security fixes. The security of the kernel is paramount.</p>
</li>
<li>
<p>Apart from updating and patching the kernel, it might be worth considering running a hardened kernel using patches such as those provided by grsecurity (https://grsecurity.net/) and <em>PAX</em> (https://pax.grsecurity.net/). This provides extra protection against attackers manipulating program execution by modifying memory (such as <em>buffer overflow attacks</em>).</p>
</li>
</ul>
<h3 id="run-containers-with">Run containers with</h3>
<ul>
<li>
<p>Minimum set of privileges (non admin). When a vulnerability is exploited, it generally provides the attacker with access and privileges equal to those of the application or process that has been compromised. Ensuring that containers operate with the least privileges and access required to get the job done reduces your exposure to risk. A docker container runs as root by default, if there is no user specified. Create a non privileged user and switch to it using a <code class="highlighter-rouge">USER</code> statement before an entrypoint script in the <code class="highlighter-rouge">Dockerfile</code>.</p>
</li>
<li>
<p>Limited file system (Readonly access). Prevents attackers from writing a script and tricking your application from running it. This can be done by passing <code class="highlighter-rouge">--read-only</code> flag to <code class="highlighter-rouge">docker run</code>.</p>
</li>
<li>
<p>Limited resources (CPU and memory). Limiting memory and CPU prevents against DoS attacks. <code class="highlighter-rouge">docker run</code> provides options <code class="highlighter-rouge">-m</code> and <code class="highlighter-rouge">-c</code> for setting the memory and cpu requirements respectively for running a container.</p>
</li>
<li>
<p>Limited networking. By default containers running on the same host can talk to each other whether or not ports have been explicitly published or exposed. A container should open only the ports it needs to use in production, to prevent compromised containers from being able to attack other containers.</p>
</li>
<li>
<p>No access to privileged ports. Only root has access to privileged ports, so if you’re talking to a privileged port you know you’re talking to root.</p>
</li>
</ul>
<h3 id="docker-images">Docker images</h3>
<ul>
<li>
<p>Only run images from trusted parties. Control the inflow of docker images into your development environment. This means using only approved private registries and approved images and versions. As of Docker 1.8 a new security feature was implemented called Docker Content Trust. This feature allows you to verify the authenticity, integrity, and publication date of all Docker images available on the Docker Hub Registry. This feature is not enabled by default but if you enable it by <code class="highlighter-rouge">export DOCKER_CONTENT_TRUST=1</code> Docker notifies you, when you attempt to pull down an image that isn’t signed.
<img src="http://hemantkumar.net/assets/docker-content-trust.png" alt="Docker Content Trust" /></p>
</li>
<li>
<p>Run regular scans on your docker images for vulnerabilities. Vulnerability management is tricky because source images aren’t always patched. Even if you get the base layer up to date, you probably also have tens or hundreds of other components in your images that aren’t covered by the base layer package manager. Because the environment changes so frequently, traditional approaches to patch management are irrelevant. To stay in front of the problem you have to a) find vulnerabilities as part of the continuous integration (CI) process, and b) use quality gates to prevent the deployment of unsafe and non compliant images in the first place. Docker Hub has its own <a href="https://docs.docker.com/docker-cloud/builds/image-scan/">image scanning tool</a> and there are paid options like <a href="https://www.twistlock.com/">Twistlock</a> that provide image vulnerability analysis as well as a container security monitoring.</p>
</li>
<li>
<p>If needed, remove unwanted packages that your application does not depend upon with major and critical vulnerabilities from the base image to reduce the attack surface.</p>
</li>
</ul>
Mon, 07 Nov 2016 15:23:00 +0000http://hemantkumar.net/think-docker-think-security.html
http://hemantkumar.net/think-docker-think-security.htmldocker,microservices,security,devopskodekitabServices, microservices, bounded context, actors.. the lot<p>I was at the DDD exchange recently where we had the likes of <a href="https://twitter.com/UdiDahan">Udi Dahan</a>, <a href="https://twitter.com/ericevans0">Eric Evans</a> and <a href="https://twitter.com/ScottWlaschin">Scott Wlaschin</a> on the panel. In a post event Q&amp;A session I asked the panel - <em>“Is microservices SOA renamed? “</em> which triggered an hour long debate. The panelists argued amongst themselves about what exactly a service or a microservice means. By the end of the debate I doubt any one of us was any more wiser. Clearly there was no consensus on the definition of a microservice and what it actually means. It is quite a buzzword these days but none of the panelists could come to a common understanding. This raised a few questions in my head. Disappointed with the expert advice, I decided to look out for a definition of my own.</p>
<p>As what’s needed in such a situation, I looked up the dictionary for the word service - <em>“the action of helping or doing work for someone”</em>. Does a microservice fit into this general definition? In order to come up with a more definitive answer, lets recollect the knowledge that is already out there.</p>
<blockquote>“Microservices aim to do SOA well, it is a specific approach of achieving SOA in the same way as XP and Scrum are specific approaches for Agile software development.” - Sam Newman (Building Microservices)
</blockquote>
<p>If microservices is about doing SOA (Service orientated architecture) well, it is probably worth looking at the SOA tenets:</p>
<ul>
<li>Services are autonomous - Cohesive single responsibility.</li>
<li>Services have explicit boundaries - Loosely coupled, owns its data and business rules.</li>
<li>Service share contract and schema, not Class or Type or a Database</li>
<li>Service compatibility is based upon policy - Explicitly state the constraints (structural and behavioral) which the service imposes on its usage.</li>
</ul>
<p>These tenets do not appear to be too different from the object oriented principles. According to Alan Kays description of Smalltalk in 1971</p>
<blockquote>An object is a little computer that has its own memory, you send messages to it in order to tell it to do something. It can interact with other objects through messages in order to get that task done.</blockquote>
<p>An object’s private memory provides it the autonomy and message based communication an explicit boundary from other objects. Can we define a service based on the above principles? Lets look at the tenets a bit closely.</p>
<h1 id="what-is-a-service">What is a Service?</h1>
<ul>
<li>Autonomy of a service suggests it is independent of other services to perform its tasks, therefore in order to be independent it needs to have one and only one well defined responsibility. Uncle Bob has summarised SRP rather well - <em>“Gather together those things that change for the same reason and separate those things that change for different reasons.”</em> In short a service should not have more than one reason to change.</li>
<li>Boundaries are drawn to restrict free movement and ensure all movement is governed by a set of rules. In the context of a service this restriction is enforced on free movement of data across a service boundary. All data and business rules reside within the service imposing strict restrictions on any movement in and out.</li>
<li>Services interact with other services through a shared contract by sending messages. These messages contain stable data (i.e. immutable, think events). The data going through service boundaries is minimal and very basic.</li>
<li>Usage of a service enforces certain constraints, the incoming messages conform to an expected structure and format.</li>
</ul>
<h1 id="what-a-service-is-not">What a service is NOT?</h1>
<ul>
<li>Anything with the word <em>Service</em> appended to it does not automatically qualify as a service.</li>
<li>A service that has only a function is a function not a service, like calculation, validation (not be confused with DDD’s <em>Domain Services</em> which is a more granular concept). Making it remotely callable through RPC/SOAP still does not make it a service.</li>
<li>A service that only has data is a database not a service. Doing CRUD through REST over HTTP does not change that.</li>
</ul>
<p>Philip Kruchten’s 4+1 <a href="https://en.wikipedia.org/wiki/4%2B1_architectural_view_model">Architecture View Model</a> describes software architecture based on multiple concurrent views.</p>
<p><img src="https://upload.wikimedia.org/wikipedia/commons/f/f2/4%2B1_Architectural_View_Model.jpg" alt="alt text" title="4+1 Architecture view model" /></p>
<div class="highlighter-rouge"><pre class="highlight"><code> 4+1 Architecture View Model
</code></pre>
</div>
<p>I see defining services as breaking an overall system into smaller isolated sub systems so that adding features to the overall system requires touching as few sub systems as possible. This decomposition can be at the <code class="highlighter-rouge">logical level</code> (business capabilities - the reason for something to exist), <code class="highlighter-rouge">component level</code> (dlls, jars, source code repos), <code class="highlighter-rouge">process level</code> (web app, http endpoints) or the <code class="highlighter-rouge">physical level</code> (machines, hosts). <strong>Bounded context</strong> in DDD terminology focuses on the logical separation whereas <strong>Microservice</strong> focuses on the physical separation. The idea of slicing up your system into manageable chunks is the key here.</p>
<h1 id="what-is-an-actor">What is an Actor?</h1>
<p>The <strong>Actor model</strong> allows dividing a system or application into smaller isolated tasks or actors that can run concurrently. When an actor wants to communicate with another actor, it sends a message rather than contacting it directly, all messaging being asynchronous. Traditional approaches to concurrency are based on synchronizing shared mutable state which is difficult to get right. Wouldn’t it be better not having to deal with coordinating threads, synchronization and locks? Actors achieve this by changing internal state between processing messages but avoiding sharing state. When there are no shared state mutations, synchronization and locking are no more required. Apart from concurrency and performance gains there are other benefits with the actor based approach like hot code replacements.</p>
<h1 id="in-summary">In summary</h1>
<p>Partitioning can occur at different levels, be it a service, a microservice, an actor or even an object. What we really gain from this partitioning is isolation. We want a small computer with private memory that you can interact with through a contract, without any back door access to their private internal state. Isolation is easily compromised in objects. We often break encapsulation by sharing an object’s private memory through public getters and setters in languages like Java and C#. Actors enforce this isolation by restricting access to private memory (internal state). Microservies make it even harder to break the isolation by often introducing physical separation and communication over a network.</p>
<blockquote>Each service ends up having its own process or/and network boundary. The contract is a service updates it's shared memory and exposes a mechanism to read from its shared memory but the service itself is the only one that is allowed to write to it.</blockquote>
<p>Turns out, there is nothing new that microservices offer, rather they try to reinforce a lot of the old ideas like SOA and object oriented principles that we have known for sometime. Adding features to your system will invariably involve touching more than one sub system at a given time but depending upon how well the system is isolated, it should involve touching as few sub systems as possible. Isolation gives you all the good stuff - loosely coupled systems, failure isolation, independent evolution and scale. But distributed mircoservices is not the only way to achieve isolation. Modularised monoliths can very well be isolated too, they probably need a bit more discipline.</p>
Fri, 30 Oct 2015 15:23:00 +0000http://hemantkumar.net/services-microservices-bounded-context.html
http://hemantkumar.net/services-microservices-bounded-context.htmlmicroservices,boundedcontext,soakodekitabProblem with mutating state<p>The purpose of any computer program is to take some inputs and produce an output. Producing an output causes the program to have an effect which means during its execution cycle, the program changes certain values. A live program models the real world where things change frequently over time and in parallel. But while writing programs we only have a static view of the problem domain and with the best of intentions and tools at hand we try to manage state change in our program as it would happen in the real world. This leaves us having to deal with values that change over time. Are OO languages capable of handling this complexity easily or do we need to look further?</p>
<blockquote>“No man ever steps in the same river twice, for it's not the same river and he's not the same man.” - *Heraclitus*</blockquote>
<p>Rich Hickey in his <a href="http://www.infoq.com/presentations/Are-We-There-Yet-Rich-Hickey">keynote</a> at the JVM Languages summit talked about value, identity and state. Values are essentially constants that do not change. The flowing water in a river makes the river change constantly over time, this introduces the concept of identity. Identity is a succession of related values where the current one is caused from the previous. State is the value of an identity at a given time.</p>
<div class="language-java highlighter-rouge"><pre class="highlight"><code><span class="mi">1</span><span class="o">;</span> <span class="c1">// value (immutable)</span>
<span class="kt">int</span> <span class="n">x</span> <span class="o">=</span> <span class="mi">1</span><span class="o">;</span> <span class="c1">// identity (variables are like rivers that change)</span>
<span class="n">x</span> <span class="o">=</span> <span class="n">x</span> <span class="o">+</span> <span class="mi">1</span><span class="o">;</span> <span class="c1">// x changes state (introduces side effect)</span>
</code></pre>
</div>
<p>An assignment statement however, mutates state and introduces the concept of time. The value of x changes before and after the assignment statement therefore time becomes important. The assignment statement separates the code above the assignment from the code below the assignment because other parts of the system that can access x can now have different views of x depending upon what time it is observed. If x is shared between multiple functions, objects or threads and either has the ability to assign to x, this can lead to <em>side effects</em>.</p>
<p>When you have a function that gives you a side effect then you need another function to undo the side effect. This leads to <a href="https://en.wikipedia.org/wiki/Nondeterministic_algorithm"><strong>non deterministic</strong></a> results that introduce <a href="https://en.wikipedia.org/wiki/No_Silver_Bullet"><strong>accidental complexity</strong></a> (problems which engineers create and fix). For example a program whose output is influenced by the particular order of execution of threads or by a call to <code class="highlighter-rouge">gettimeofday</code> or some other non-repeatable thing is generally best considered as non-deterministic. This accidental complexity is inherent in OO languages. When you open a file you must also close it. Functions with side effects are also separated in time - opening a graphical context must precede closing it, using an unmanaged resource in .NET must always precede disposing it. If these functions are not called in the correct order it leads to memory leaks. OO languages support garbage collection to manage some side effects but not all.</p>
<h1 id="managing-side-effects">Managing side effects</h1>
<p>One of the main ideas of Functional programming is to manage side effects. It enables programs to make decisions based on stable values rather than those that change over time (like rivers). Evaluation of a <strong>pure function</strong> or <strong>higher order function</strong> has <em>no side effects</em>. f(x) is always the same, no matter what. This leads to <a href="https://wiki.haskell.org/Referential_transparency"><strong>referential transparency</strong></a> which implies that provided a set of inputs a function will always result in the same output or it will have the same behaviour.</p>
<p>A pure function is <strong>stateless</strong> rather than stateful i.e it does not update any shared state/memory. This means that execution of a pure function has no effect on the output of the execution of any other function in your application. However in practice, applications do need to have some side effects.</p>
<blockquote>"In the end, any program must manipulate state. A program that has no side effects whatsoever is a kind of black box. All you can tell is that the box gets hotter" - *Simon Peyton-Jones (Haskell contributor)*</blockquote>
<p>The key is to limit side effects, clearly identify them, and avoid scattering them throughout your application. This can be achieved by having more and more pure functions inside your application that depend only on the input and return a value without:</p>
<ul>
<li>Accessing global memory/state</li>
<li>Modifying input(s)</li>
<li>Changing shared memory/state</li>
</ul>
<p>It is interesting to note in an imperative style, the above situations result as a use of the assignment statement. Functional programs attempt to remove the non determinism and complexity in your application by containing side effects. This makes them easier to write and maintain:</p>
<ul>
<li>Without temporal coupling - order in which functions are called becomes irrelevant.</li>
<li>Fewer concurrency issues due to restricted updates to shared memory/state.</li>
<li>Less time spent in the debugger without having to constantly ask “<em>What is the application state ?</em>”</li>
</ul>
<h1 id="time-to-give-up-the-assignment-statement">Time to give up the assignment statement?</h1>
<p>The addition of more cores to computer hardware means, the individual throughput of each core goes down but the throughput of the chip with multiple processors goes up, if you can take advantage of the multiple cores. In order to utilise all those cores, we will have to learn to write more pure functions. Our ability to write multi-threaded programs will depend upon the scarce and disciplined use of the assignment statement.</p>
Tue, 19 May 2015 15:23:00 +0000http://hemantkumar.net/problem-with-mutating-state.html
http://hemantkumar.net/problem-with-mutating-state.htmlfunctionalkodekitabAre mocks worth it?<p>Mocks are widely used in most development teams I’ve worked with practicing TDD. According to <a href="http://blog.8thlight.com/uncle-bob/2014/05/10/WhenToMock.html">Uncle Bob</a> <em>A mock object is a very powerful tool, providing two major benefits: isolation and introspection. But like all power tools, mocks come with a cost</em>. He goes on to list the benefits as well as possible issues of using mocks. Between the two extremes of too many mocks and no mocks I tend to start with no mocks until I absolutely and necessarily need one. Therefore, I am always interested in techniques that allow me the freedom of working without learning an external mocking framework. In statically typed languages like Java and C#, interface based polymorphism allows us to use mocked implementations for tests. Functional programming provides an alternative to interface based polymorphism.</p>
<p>Consider a problem where the quality of an item needs to be kept up to date for inventory management purposes. I am using Java in this example just because I have had to learn a Java mocking framework - <a href="http://mockito.org/">Mockito</a> on a recent project. It can better illustrate the pain I’ve had to go through trying to learn Mockito’s domain specific language and its combination of dots and parentheses. This pain is not specific to Mockito and could very well be felt for any other framework as well.</p>
<div class="language-java highlighter-rouge"><pre class="highlight"><code>
<span class="kd">public</span> <span class="nf">ItemUpdater</span><span class="o">(</span><span class="n">ItemRepository</span> <span class="n">repository</span><span class="o">)</span> <span class="o">{</span>
<span class="k">this</span><span class="o">.</span><span class="na">repository</span> <span class="o">=</span> <span class="n">repository</span><span class="o">;</span>
<span class="o">}</span>
<span class="kd">public</span> <span class="kt">void</span> <span class="nf">update</span><span class="o">(</span><span class="n">Item</span> <span class="n">item</span><span class="o">)</span> <span class="o">{</span>
<span class="n">item</span><span class="o">.</span><span class="na">decreaseQuality</span><span class="o">();</span>
<span class="k">this</span><span class="o">.</span><span class="na">repository</span><span class="o">.</span><span class="na">save</span><span class="o">(</span><span class="n">item</span><span class="o">);</span>
<span class="o">}</span>
</code></pre>
</div>
<p>Now a repository is generally a facade over a database and is a significant architectural boundary for us to mock, ensuring tests can run faster without worrying about transferring data to and from the database. Presuming the ItemRepository is an interface, using Mockito this is the how I would write my test to ensure the item is persisted.</p>
<div class="language-java highlighter-rouge"><pre class="highlight"><code>
<span class="nd">@Test</span>
<span class="kd">public</span> <span class="kt">void</span> <span class="nf">ensuresUpdatedItemIsSaved</span><span class="o">()</span> <span class="o">{</span>
<span class="n">ItemRepository</span> <span class="n">mockedRepository</span> <span class="o">=</span> <span class="n">mock</span><span class="o">(</span><span class="n">ItemRepository</span><span class="o">.</span><span class="na">class</span><span class="o">);</span>
<span class="k">new</span> <span class="nf">ItemUpdater</span><span class="o">(</span><span class="n">mockedRepository</span><span class="o">)</span>
<span class="o">.</span><span class="na">update</span><span class="o">(</span><span class="k">new</span> <span class="n">Item</span><span class="o">(</span><span class="s">"Aged Brie"</span><span class="o">,</span> <span class="mi">2</span><span class="o">));</span>
<span class="n">verify</span><span class="o">(</span><span class="n">mockedRepository</span><span class="o">).</span><span class="na">save</span><span class="o">(</span><span class="n">Item</span><span class="o">.</span><span class="na">class</span><span class="o">);</span>
<span class="o">}</span>
</code></pre>
</div>
<p>Although the test above establishes an item is saved but it does not ensure the correctness of that item. Mockito allows us to do that as well.</p>
<div class="language-java highlighter-rouge"><pre class="highlight"><code>
<span class="nd">@Test</span>
<span class="kd">public</span> <span class="kt">void</span> <span class="nf">ensuresUpdatedItemIsSaved</span><span class="o">()</span> <span class="o">{</span>
<span class="n">ItemRepository</span> <span class="n">mockedRepository</span> <span class="o">=</span> <span class="n">mock</span><span class="o">(</span><span class="n">ItemRepository</span><span class="o">.</span><span class="na">class</span><span class="o">);</span>
<span class="k">new</span> <span class="nf">ItemUpdater</span><span class="o">(</span><span class="n">mockedRepository</span><span class="o">)</span>
<span class="o">.</span><span class="na">update</span><span class="o">(</span><span class="k">new</span> <span class="n">Item</span><span class="o">(</span><span class="s">"Aged Brie"</span><span class="o">,</span> <span class="mi">2</span><span class="o">));</span>
<span class="n">ArgumentCaptor</span><span class="o">&lt;</span><span class="n">Item</span><span class="o">&gt;</span> <span class="n">argument</span> <span class="o">=</span> <span class="n">ArgumentCaptor</span>
<span class="o">.</span><span class="na">forClass</span><span class="o">(</span><span class="n">Item</span><span class="o">.</span><span class="na">class</span><span class="o">);</span>
<span class="n">verify</span><span class="o">(</span><span class="n">mockedRepository</span><span class="o">).</span><span class="na">save</span><span class="o">(</span><span class="n">argument</span><span class="o">.</span><span class="na">capture</span><span class="o">());</span>
<span class="n">Item</span> <span class="n">item</span> <span class="o">=</span> <span class="n">argument</span><span class="o">.</span><span class="na">getValue</span><span class="o">();</span>
<span class="n">assertThat</span><span class="o">(</span><span class="n">item</span><span class="o">.</span><span class="na">name</span><span class="o">).</span><span class="na">isEqualTo</span><span class="o">(</span><span class="s">"Aged Brie"</span><span class="o">);</span>
<span class="n">assertThat</span><span class="o">(</span><span class="n">item</span><span class="o">.</span><span class="na">quality</span><span class="o">).</span><span class="na">isEqualTo</span><span class="o">(</span><span class="mi">1</span><span class="o">);</span>
<span class="o">}</span>
</code></pre>
</div>
<p>The test now establishes the correctness of the item being saved but I’ve had to write a lot of frameworky code in order to achieve that. Apart from figuring out whether the parentheses should go before or after the ‘verify’ it also requires an understanding of the domain specific language of the mocking framework. Frankly the 3 lines of code before the assertion is just noise, I’d rather do without. It is just an obstruction in the way of the most important part of the test i.e. the assertion. When I or someone else revisits this test for a future change it shouldn’t require navigating through all this noise to reach the assertion. So is there an alternative?</p>
<p>Provided the ItemRepository has a single method, as explained in a <a href="http://hemantkumar.net/kodekitab/2015/01/04/from-object-to-function-composition.html">previous post</a> Single-method interfaces are easy to replace with the usage of closures and “function pointers”.</p>
<div class="language-java highlighter-rouge"><pre class="highlight"><code>
<span class="kd">public</span> <span class="kd">class</span> <span class="nc">DbItemRepository</span> <span class="kd">implements</span> <span class="n">ItemRepository</span> <span class="o">{</span>
<span class="kd">public</span> <span class="kt">void</span> <span class="nf">saveItem</span><span class="o">(</span><span class="n">Item</span> <span class="n">item</span><span class="o">)</span> <span class="o">{</span>
<span class="c1">// persist to the database</span>
<span class="o">}</span>
<span class="o">}</span>
<span class="nd">@Test</span>
<span class="kd">public</span> <span class="kt">void</span> <span class="nf">ensuresUpdatedItemIsSaved</span><span class="o">()</span> <span class="o">{</span>
<span class="k">new</span> <span class="nf">ItemUpdater</span><span class="o">(</span><span class="n">item</span> <span class="o">-&gt;</span> <span class="k">this</span><span class="o">.</span><span class="na">item</span> <span class="o">=</span> <span class="n">item</span><span class="o">)</span>
<span class="o">.</span><span class="na">update</span><span class="o">(</span><span class="k">new</span> <span class="n">Item</span><span class="o">(</span><span class="s">"Aged Brie"</span><span class="o">,</span> <span class="mi">2</span><span class="o">));</span>
<span class="n">assertThat</span><span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">item</span><span class="o">.</span><span class="na">name</span><span class="o">).</span><span class="na">isEqualTo</span><span class="o">(</span><span class="s">"Aged Brie"</span><span class="o">);</span>
<span class="n">assertThat</span><span class="o">(</span><span class="k">this</span><span class="o">.</span><span class="na">item</span><span class="o">.</span><span class="na">quality</span><span class="o">).</span><span class="na">isEqualTo</span><span class="o">(</span><span class="mi">1</span><span class="o">);</span>
<span class="o">}</span>
</code></pre>
</div>
<p>With the addition of an Item member variable using a lambda expression, we’ve managed to remove 4 lines of code from the previous test. This is much cleaner than using Mockito and focuses on the actual test rather than the semantics of the mocking framework. The example of ItemRepository is one with a single method but what if an interface has multiple methods on it? I personally start with writing my own mock in that case. If you restrict yourself to mocking architectural boundaries like a database, web server or external service you shouldn’t really need lots of mocks anyway.</p>
<p>Mocking tools are quite powerful and I have found them to be really useful when working with legacy code. Legacy code often uses large interfaces that violate the <a href="http://en.wikipedia.org/wiki/Interface_segregation_principle">Interface segregation principle</a>. Writing your own mocks for such interfaces is often painful and unwieldy as you might end up writing a mocked implementation that has tens of methods, when really you might just be interested in a single one. I,m happy to use a mocking framework to avoid writing such massive implementations myself in order to keep the tests maintainable. But I would certainly refrain from making an assumption that if I’m doing TDD or writing any sort of automated tests, I need to start with a mocking framework.</p>
Mon, 18 May 2015 15:23:00 +0000http://hemantkumar.net/are-mocks-worth-it.html
http://hemantkumar.net/are-mocks-worth-it.htmltddkodekitabHow did AAP win the way it did? By saying Sorry!!<p>Apart from the well known reasons that have been written about and discussed ad nauseam ranging from AAP’s issue based politics to BJP’s overconfidence, complacency, negative campaign, inability to reign in its communal forces to the Congress’s sheer ineptitude to come to terms with contemporary politics, it is interesting to look beyond these to try and understand the unprecedented mandate received by AAP. So how did a party that was written off after the general elections to such an extent that the BJP did not even deem fit to campaign in Delhi up until the last few weeks, achieve such a resounding victory? By saying the magic word: Sorry!</p>
<p>Politics of one-upmanship, retribution, vindictiveness and contrarianism is part and parcel of conventional politics. These traits are so ingrained in the current crop of politicians that it becomes virtually impossible for them to break out of this mould. Therefore we see parliamentary disruptions and public spats based on party politics rather than national interest. Apologies even for grievous mistakes related to big ticket corruption, riots and inciting communal violence are seldom heard of within political circles. After all the current prime minister Narendra Modi has never unequivocally apologised for the 2002 Gujarat riots that happened under his watch. This is not only restricted to the BJP, the Congress is equally culpable of perpetuating the status quo. It took the Congress 21 years to issue a public apology for the 1984 anti-Sikh riots in parliament by the then prime minister Manmohan Singh. It was a rare act but took far too long and the Congress always denied charges of massive corruption during its last rule never mind apologize for it. The consequence of which can be clearly seen in the routing that it has received recently election after election in the centre as well as the states.</p>
<p>Arvind Kejriwal realised that the Delhi public was grossly unhappy with him for resigning from the post of Chief minister abruptly just after 49 days a year ago, therefore he ensured that he owned up to his mistake rather than live in denial. Having admitted his fault he went about repeatedly and clearly expressing remorse at his public meetings, moving away from the conventional political norm. This required courage and moral clarity but some sections of the media and political pundits viewed this through the lens of the corrupt politics that we have got accustomed to and termed this political immaturity. But Delhi has shown that saying sorry is not political harakiri as conventional politics perceives it to be. It has shown that Delhiites have a heart and the brains to tell policy from hyperbol. It has shown the electorate is ready to accept a Kumar Vishwas crediting the leader from an opposition party (PM) if the opposition leader does well, unlike the Congress that removed Shashi Tharoor as its national spokesperson for giving credit to the PM where credit was actually due. The Congress think tank believes as political opponents its primary job is to oppose for the sake of opposition. Therefore Shashi Tharoor’s recognition of the Prime Minister’s efforts to engage with SAARC leaders and his foreign diplomacy with US and Japan to build India’s international stature was seen to be contrarian to the official Congress view and resulted in his dismissal.</p>
<p>Politics is about national interest not party’s individual interest therefore expressing appreciation on national matters is okay even if it may not be the official party line. This culture existed in the Indian political class when the nation was born amongst our founding figures but seems to have been lost over the years. There is a shift in the political landscape today that demands honesty and transparency from the government caretakers. People are willing to forgive mistakes as long as politicians stick to these fundamental principles of honesty and transparency. AAP’s addition to the political fray is bringing about this change ensuring we go back to our roots.</p>
Sat, 14 Feb 2015 13:47:00 +0000http://hemantkumar.net/how-did-aap-win-way-it-did-by-saying.html
http://hemantkumar.net/how-did-aap-win-way-it-did-by-saying.htmlpoliticsFrom object to function composition<div dir="ltr" style="text-align: left;" trbidi="on"><div style="text-align: left;"><span style="color: #333333; font-family: Helvetica, arial, freesans, clean, sans-serif, Segoe UI Emoji, Segoe UI Symbol;"><span style="background-color: white;"><span style="line-height: 18.2000007629395px;">Composition is a technique often used to build software by creating cohesive units that interact with each other to form the overall system. At the code level these units mainly consist of functions and objects. A system can be built by composing objects with abstractions that define the rules for communication with other objects. An alternative way of building the system is by composing functions and defining the rules of communication through functional contracts (i.e. passing functions into functions). Coming from an object oriented background I feel this second approach is worth exploring further.</span></span></span></div><div style="text-align: left;"><br /></div><div style="text-align: left;"><span style="color: #333333; font-family: Helvetica, arial, freesans, clean, sans-serif, Segoe UI Emoji, Segoe UI Symbol;"><span style="background-color: white; line-height: 18.2000007629395px;">Using the C#&nbsp;<a href="https://github.com/emilybache/GildedRose-Refactoring-Kata" target="_blank">GildedR<span id="goog_39888737"></span><span id="goog_39888738"></span>ose </a>kata as an&nbsp;example, an</span></span><span style="background-color: white; color: #333333; font-family: Helvetica, arial, freesans, clean, sans-serif, 'Segoe UI Emoji', 'Segoe UI Symbol'; line-height: 18.2000007629395px;">&nbsp;object oriented way of expressing the quality adjustment in a product looks like this</span></div><div style="text-align: left;"><br /></div><script src="https://gist.github.com/hemantksingh/69e8fd8e5afbc9470bd4.js"></script><span style="color: #333333; font-family: Helvetica, arial, freesans, clean, sans-serif, Segoe UI Emoji, Segoe UI Symbol;"><span style="background-color: white;"><span style="line-height: 18.2000007629395px;">Now I have a couple of issues with the code above. First there is some repetition&nbsp;and unnecessary noise in the code that declares constructors for various IAdjustQuality implementations. Secondly IAdjustQuality and IProduct are single-method interfaces and I am suspicious of interfaces with single methods. I</span></span></span><span style="background-color: white; color: #333333; font-family: Helvetica, arial, freesans, clean, sans-serif, 'Segoe UI Emoji', 'Segoe UI Symbol'; line-height: 18.2000007629395px;">nterfaces are generally created for a bunch of related methods.</span><br /><br /><span style="color: #333333; font-family: Helvetica, arial, freesans, clean, sans-serif, Segoe UI Emoji, Segoe UI Symbol;"><span style="background-color: white;"><span style="line-height: 18.2000007629395px;">An alternative way to express the quality adjustment in a Product in the GildedRose example would be to compose functions rather than objects. Although C# traditionally has been&nbsp;perceived&nbsp;to be an&nbsp;object oriented language but with lambda expressions it is very much possible to write functional code in C#.&nbsp;</span></span></span><span style="color: #333333; font-family: Helvetica, arial, freesans, clean, sans-serif, 'Segoe UI Emoji', 'Segoe UI Symbol'; line-height: 18.2000007629395px;">Single-method interfaces are easy to replace with the usage of closures and "function pointers" as long as the function has a compatible signature to the method declared in the single-method interface. Lets see how we can replace IAdjustQuality with its functional equivalent.</span><br /><br /><script src="https://gist.github.com/hemantksingh/066c82b9bf104a95dad5.js"></script><span style="color: #333333; font-family: Helvetica, arial, freesans, clean, sans-serif, 'Segoe UI Emoji', 'Segoe UI Symbol'; line-height: 18.2000007629395px;"><br /></span><span style="color: #333333; font-family: Helvetica, arial, freesans, clean, sans-serif, Segoe UI Emoji, Segoe UI Symbol;"><span style="line-height: 18.2000007629395px;">Creating the AdjustQuality and AdjustBackstageQuality functions results in the removal of &nbsp;2 classes and the interface declaration itself. Notice AdjustQuality function uses partial application i.e. it is a function that returns another function. The first function is applied partially to return the actual function. This should be more clear after looking at the Product class now.</span></span><br /><script src="https://gist.github.com/hemantksingh/df9c8c7c4a6723196391.js"></script><span style="color: #333333; font-family: Helvetica, arial, freesans, clean, sans-serif, Segoe UI Emoji, Segoe UI Symbol;"><span style="line-height: 18.2000007629395px;"><br /></span></span><span style="color: #333333; font-family: Helvetica, arial, freesans, clean, sans-serif, Segoe UI Emoji, Segoe UI Symbol;"><span style="line-height: 18.2000007629395px;">Applying the same technique of replacing an interface with its equivalent function pointer the IProduct interface can also be removed and the resulting code looks like this.&nbsp;</span></span><br /><br /><script src="https://gist.github.com/hemantksingh/2ec0223783a99d38675f.js"></script><span style="color: #333333; font-family: Helvetica, arial, freesans, clean, sans-serif, Segoe UI Emoji, Segoe UI Symbol;"><span style="background-color: white;"><span style="line-height: 18.2000007629395px;">So why compose functions rather than objects. One of the benefits as you may have noticed straight away is that functional code is pretty&nbsp;succinct and has less lines of code (less than half of the original object oriented approach). The noise around declaring single-method interfaces and their implementations is no more present. However the functional approach might seem confusing and less readable especially the excessive use of lambda expressions and partial application. But I guess depending on whether you come from the object oriented background or the functional one you could sway either way. There is no right or wrong here. The basic idea is how objects and functions can be used to split your overall system into&nbsp;manageable&nbsp;chunks. The flexibility of achieving that in more than one way is a powerful tool to have.</span></span></span></div>
Sun, 04 Jan 2015 19:23:00 +0000http://hemantkumar.net/from-object-to-function-composition.html
http://hemantkumar.net/from-object-to-function-composition.htmlkodekitabGit Basics<h1 id="git-overview">Git overview</h1>
<ul>
<li>Distributed Version Control</li>
<li>Data Consistency and Integrity</li>
<li>Performance - Diffs are local therefore quicker, do not have to go over the network to perform diffs.</li>
<li>Merging - Automatic merge if there are no conflicts (more than one change at the same position of the modified file).</li>
<li>Conflicts have to be merged manually.</li>
</ul>
<h3 id="git-commands">Git commands</h3>
<p>Clone a repository locally from the remote server</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh">
<span class="gp">$ </span>git clone git@github.com:username/demo.git</code></pre></figure>
<hr />
<p><strong>Create new repository</strong></p>
<p>Add a new repository on github online - ‘demo’. Then create a local directory - ‘demo’ and navigate to it through the command line.</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>touch README.md <span class="c"># Creates a README file </span>
<span class="gp">$ </span>git init <span class="c"># Initializes a git repository </span>
<span class="gp">$ </span>git add README.md <span class="c"># Adds the README.md file to staging area </span>
<span class="gp">$ </span>git commit -m <span class="s2">"first commit"</span> <span class="c"># Creates a commit </span>
<span class="gp">$ </span>git remote add origin git@github.com:username/demo.git <span class="c"># Specifies the remote URL </span>
<span class="gp">$ </span>git push -u origin master <span class="c"># Transfers the repository to remote server and tracks the remote branch</span></code></pre></figure>
<hr />
<p><strong>Git settings</strong><br />
Git settings are defined in a .gitconfig file which is located in %USERPROFILE% on Windows and $HOME on Unix based machines.</p>
<p>List the config settings</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git config --list</code></pre></figure>
<p>Set the default username and email globally for the entire system</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git config --global user.name <span class="s2">"Your Name Here"</span>
<span class="gp">$ </span>git config --global user.email <span class="s2">"your_email@example.com"</span></code></pre></figure>
<p>In order to override this with a different name or e-mail address for specific projects, you can run the command without the –global option when you’re in that project.</p>
<p>If git prompts you for a username and password you could be using the HTTPS clone for your repository instead of your SSH key passphrase. The SSH based URL looks like - git@github.com:user/repo.git. Follow the steps below to switch it to SSH.</p>
<p>Verify the remote that a local repo is mapped to</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git remote show
<span class="c"># or </span>
<span class="gp">$ </span>git remote</code></pre></figure>
<p>Verify the remote URL that a local repo is mapped to</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git remote -v</code></pre></figure>
<p>Change the remote URL that local repo is mapped to</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git remote <span class="nb">set</span>-url origin git://new.url.here</code></pre></figure>
<p>Push all local branches that have the same name on the remote. This means potentially many different branches will be pushed, including those that you might not even want to</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git config --global push.default matching</code></pre></figure>
<p>Push only the current working branch if it has the same name on remote</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git config --global push.default simple</code></pre></figure>
<hr />
<p><strong>Branches</strong></p>
<p>Get a list of all the branches</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git branch -a</code></pre></figure>
<p>Create a branch and switch to it at the same time</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git checkout -b &lt;branchName&gt;</code></pre></figure>
<p>Create a branch, switch to it and set the tracking/upstream branch<br />
$ git checkout -b <branchName> --track origin/<branchName></branchName></branchName></p>
<p>Merge with a specified branch</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git merge &lt;path to remote branch&gt;</code></pre></figure>
<p>Delete a remote branch</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git push origin --delete &lt;branchName&gt;</code></pre></figure>
<p>Delete a local branch</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git branch -d &lt;branchName&gt;</code></pre></figure>
<p>Track a remote branch e.g. track remote master with local master</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git branch --set-upstream-to<span class="o">=</span>&lt;remote&gt;/&lt;branchName&gt; &lt;branchName&gt;
<span class="gp">$ </span>git branch --set-upstream-to<span class="o">=</span>origin/master master</code></pre></figure>
<p>Compare a file in 2 branches</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git difftool &lt;branch1&gt; &lt;branch2&gt; -- myfile.cs</code></pre></figure>
<p>Compare the commits in 2 branches</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh">git cherry -v &lt;branch1&gt; &lt;branch2&gt;</code></pre></figure>
<hr />
<p><strong>Undoing changes</strong></p>
<p>$ git reset head –hard (Moves the head to the most recent commit and erase all the changes in your working tree)</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git reset --hard &lt;sha1-commit-id&gt; <span class="c">#Moves the head to the specified commit</span></code></pre></figure>
<p>Find a commit that you undid, it is typically present in git reflog unless you have garbage collected your repository</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git reflog</code></pre></figure>
<p>Remove untracked (git ignored) files and directories</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git clean -xdf</code></pre></figure>
<p>-f option required for overriding permissions<br />
-d also remove the directories<br />
-X just remove ignored files (for example - files in build dir: bin/, user setting files etc.)<br />
-x remove ignored as well as non-ignored files</p>
<hr />
<p><strong>Amend a commit</strong></p>
<p>Ensure all changes are staged</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git commit -A
<span class="gp">$ </span>git commit --amend -m <span class="s2">"New commit message"</span></code></pre></figure>
<p>Amend a commit with no changes to the message</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git commit -A --amend --no-edit</code></pre></figure>
<hr />
<p><strong>Remove local commits</strong></p>
<p>Revert the commit without creating another commit</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git revert -n &lt;sha1-commit-id&gt;</code></pre></figure>
<p>Remove local commit and reset the head to the same as remote branch</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git reset HEAD^
Or
<span class="gp">$ </span>git reset origin/branchName --hard</code></pre></figure>
<p>Remove local commit but keep changes</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git reset &lt;sha1-commit-id&gt; <span class="c">#Undoes the commit after sha1-commit-id</span>
<span class="c">#and keeps the changes in working directory</span></code></pre></figure>
<hr />
<p><strong>Rearrange commits</strong></p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git rebase -i</code></pre></figure>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh">Rebase your last 2 <span class="nb">local </span>commits
<span class="gp">$ </span>git rebase -i HEAD~2</code></pre></figure>
<p>Abort a rebase</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git rebase --abort</code></pre></figure>
<p>Move to an old commit</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git reflog</code></pre></figure>
<p>Suppose the old commit that you want to go back to was HEAD@{5} in the ref log</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git reset --hard HEAD@<span class="o">{</span>5<span class="o">}</span></code></pre></figure>
<p>Go back to the previous commit</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git reset --hard HEAD~1</code></pre></figure>
<hr />
<p><strong>Finding commits</strong></p>
<p>Find a commit with text “text to find”</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git log --grep<span class="o">=</span><span class="s2">"text to find"</span> --pretty<span class="o">=</span>oneline</code></pre></figure>
<hr />
<p><strong>Create patch</strong></p>
<p>Creating a patch</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git diff &gt; &lt;name&gt;.patch</code></pre></figure>
<hr />
<p><strong>Stash your work</strong></p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git stash</code></pre></figure>
<p>Stash work with comment</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git stash save &lt;comment&gt;</code></pre></figure>
<p>List the stashes</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh">
<span class="gp">$ </span>git stash list</code></pre></figure>
<p>Apply a stash</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh">
<span class="gp">$ </span>git stash apply <span class="c">#Applies the stash at the top</span>
<span class="gp">$ </span>git stash apply stash@<span class="o">{</span>n<span class="o">}</span> <span class="c">#Applies the stash at 'n' and keeps it in the stash stack </span>
<span class="gp">$ </span>git stash pop stash@<span class="o">{</span>n<span class="o">}</span> <span class="c">#Applies the stash at 'n' and removes it in the stash stack</span></code></pre></figure>
<p>Drop a stash</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git stash drop <span class="c">#Drops the stash at the top</span>
<span class="gp">$ </span>git stash drop stash@<span class="o">{</span>n<span class="o">}</span> <span class="c">#Drops the stash at 'n'</span></code></pre></figure>
<p>Create a branch from a stash</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git stash <span class="o">(</span>Stash your work<span class="o">)</span>
<span class="gp">$ </span>git stash branch &lt;branchName&gt; <span class="c">#Switch to a new branch that contains the stashed work</span></code></pre></figure>
<p>This creates a new branch for you, checks out the commit you were on when you stashed your work,
reapplies your work there, and then drops the stash if applied successfully.</p>
<hr />
<p><strong>Tags</strong></p>
<p>List all the tags</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git tag</code></pre></figure>
<p>Create a tag</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git tag &lt;tagname&gt;</code></pre></figure>
<p>By default, the git push command doesn’t transfer tags to remote servers. Push tags to a shared server after you have created them</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git push origin &lt;tagname&gt;</code></pre></figure>
<p>Push all of your tags to the remote server that are not already there</p>
<figure class="highlight"><pre><code class="language-sh" data-lang="sh"><span class="gp">$ </span>git push origin --tags</code></pre></figure>
<hr />
<p><strong><a href="https://help.github.com/articles/generating-ssh-keys/">Generating SSH Keys</a></strong></p>
<p>Adding SSH key to the ssh-agent<br />
$ ssh-add ~/.ssh/id_rsa</p>
<p>On trying to add the SSH key to the ssh-agent you can get the following error: ‘Could not open connection to your authentication agent’. You need to start ssh-agent before you can run the ssh-add command by running:<br />
$ eval <code class="highlighter-rouge">`ssh-agent -s`</code></p>
<p>Once the key has been added git should not ask for the key pass phrase on every push/pull.</p>
<hr />
Thu, 02 Oct 2014 19:23:00 +0000http://hemantkumar.net/git-basics.html
http://hemantkumar.net/git-basics.htmlgitkodekitab